urelas | 84b18900ced1d3c222771d77ece0657d2158f3d35aa8478b8c7e17f8d561cfe0

General

Target

3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe
Size

557KB
MD5

3d6571448211d60fb89e678a8acf328f
SHA1

f80b25b41de70f1dba186af89ff67a0352794cde
SHA256

84b18900ced1d3c222771d77ece0657d2158f3d35aa8478b8c7e17f8d561cfe0
SHA512

565b35d4878ea69d5246394ce552198093eec4dabbd5c8011776507b49da639df5d52776ed21efd9134dd1d29061beecf8ac0f922088ad4964eae2f7dd92d2c8
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEys:znPfQp9L3olqFs

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exeotzie.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	otzie.exe

Executes dropped EXE 2 IoCs

Processes:

otzie.exeqaqug.exe

pid process

3920 otzie.exe
4404 qaqug.exe

pid	process
3920	otzie.exe
4404	qaqug.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4180-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\otzie.exe	upx
behavioral2/memory/3920-10-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4180-14-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3920-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3920-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

qaqug.exe

pid	process
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe
4404	qaqug.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exeotzie.exe

description	pid	process	target process
PID 4180 wrote to memory of 3920	4180	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	otzie.exe
PID 4180 wrote to memory of 3920	4180	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	otzie.exe
PID 4180 wrote to memory of 3920	4180	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	otzie.exe
PID 4180 wrote to memory of 1388	4180	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	cmd.exe
PID 4180 wrote to memory of 1388	4180	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	cmd.exe
PID 4180 wrote to memory of 1388	4180	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	cmd.exe
PID 3920 wrote to memory of 4404	3920	otzie.exe	qaqug.exe
PID 3920 wrote to memory of 4404	3920	otzie.exe	qaqug.exe
PID 3920 wrote to memory of 4404	3920	otzie.exe	qaqug.exe

C:\Users\Admin\AppData\Local\Temp\3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\otzie.exe
"C:\Users\Admin\AppData\Local\Temp\otzie.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\qaqug.exe
"C:\Users\Admin\AppData\Local\Temp\qaqug.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
304B

MD5
07c920fb3c3e7fb2e3049429fe267026

SHA1
b908616e02e0aa2ef94149841ae5b0dce9fb8e67

SHA256
b601b411345733d45a63f746ab3dd425bf878a39ca57577750827de5670ed6b1

SHA512
bff33897a991e8d06d27dc8b62f940814da239cd674cdcc2cba1f7dd376dfafccc1c5a1924ebf01655fbb53d38e9745ff54519b2f5e2eee31708287a4322df77

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
923352a23d54710af999788901aee0fe

SHA1
ac60777b17ba587e09c50ba0f9438ca2728be413

SHA256
29130ece58706311ca2fc0e7ae843cce2d3fcd11456238cb5c6f3e55c1b3331a

SHA512
f6dd1bcd15a8dcfc94cca5f76bf9cb627899fa9bcb95a95fc009ef16ce41ae96c74350a97fcf311b538c64bee1f44958bed004d0d199715ccd0a295ba964111c

Download Submit
C:\Users\Admin\AppData\Local\Temp\otzie.exe
Filesize
557KB

MD5
804fda8bccf50a21790951c93edccce5

SHA1
f8da03fa1a1f575b52a012b7c28842f34cd68be4

SHA256
ab09dda3bcfedb74edae0a95b0f62322c5f37fd683b7d243528b3f6a2d05770e

SHA512
1e5a9e760eced6ae869ee9e8e9131f214f8ffabc6d224a689308285f661a8d91c85553906ab21451a3b69c965a1a8be6baf5cf052d8a1473a0945f2ddb76353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaqug.exe
Filesize
194KB

MD5
364fdf04460e46d07db587480ea7e841

SHA1
83971e297697744d8967932a31adcae3845734ad

SHA256
d62ad83015ab5069c95728ccf3aaac48b4bff3f8de063e1491f01191ef0be824

SHA512
f38f4391d04e2a5328a9da7bf3d1b88e3f7263cadf41daeeaf9899281a8dc6eae23b04b9eb30d3778838fc45ca765a859e8bd94655183e9ab3edc319dccebbd2

Download Submit
memory/3920-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3920-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3920-10-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4180-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4180-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4404-28-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4404-27-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4404-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4404-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4404-32-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4404-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4404-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4404-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads